From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: ruggero rossi <rugrossi@googlemail.com>
Subject: Re: [ptxdist] PTXDIST 2025.09.0: build failure of openssl-3.5.2 when gcc option -fzero-call-used-regs is not supported
Date: Fri, 19 Sep 2025 07:38:22 +0200 [thread overview]
Message-ID: <aMzsTlOa90pGbr4I@pengutronix.de> (raw)
In-Reply-To: <ea633f3d-68a4-42f0-ab3c-12a035edf6e6@t2data.com>
On Wed, Sep 17, 2025 at 11:18:31AM +0200, Christian Melki wrote:
> On 9/17/25 11:00 AM, ruggero rossi wrote:
> > On Wed, 17 Sep 2025 10:30:04 +0200
> > Christian Melki <christian.melki@t2data.com> wrote:
> > > Which version of gcc are we talking about?
> > It is quite old, but I'm bound to it because some software does not
> > compile with newer versions. It looks like that the -fzero-call-used-regs
> > is supported from GCC 11 (released April 2021).
> >
> > > GCC 11 should support this, but I don't know over which archs.
> > > It is there as a security enhancement. I would say something like less
> > > gadgets for ROP style attacks? And while it does slow down execution,
> > > for something like OpenSSL, it usually is worth it imho.
> > I agree.... The option is a must, when it is supported.
> >
> > Moreover, I found a comment in some openssh (not openssl) tracking,
> > saying that to detect whether a version of gcc supports the option or not
> > may be not trivial.
Note, that there used to be a patch that removed the flag. I looked into
this and decided it was time to remove it. I wanted the extra security.
If you absolutely need to use an old compiler, then you can find the patch
in older ptxdist versions and apply it locally.
Michael
> > > I don't see a suitable toolchain option or hardening flag in ptxdist
> > > that currently fits this cleanly. Not sure if something like this fits
> > > for a its own global pass either. Maybe someone else has another opinion.
> > >
> > > So my immediate suggestion would be to keep this local at your end for
> > > now.
> >
> > OK - and these messages remain as a help if anyone else has the same
> > problem.
>
> Indeed. Appreciate the time taken to report it.
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2025-09-19 5:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-17 6:32 ruggero rossi via ptxdist
2025-09-17 8:30 ` Christian Melki
2025-09-17 9:00 ` ruggero rossi via ptxdist
2025-09-17 9:18 ` Christian Melki
2025-09-19 5:38 ` Michael Olbrich [this message]
2025-09-19 6:08 ` ruggero rossi via ptxdist
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMzsTlOa90pGbr4I@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
--cc=rugrossi@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox